> From: [EMAIL PROTECTED] > Date: Wed, 09 Oct 2002 05:16:31 +0900 (JST) > > I wouldn't want this to be the case for messages that claim to be from > someone on my keyring (at least not until spammers start sucking > information off of keyservers and customize their spam according to > people who have signed your key) or whitelist. I don't think every > PGP user is diligent about creating a new key when an old expires for > instance (I believe it would be better if they did, of course).
Are you suggesting that spammers might crack pgp and send messages that appear to be signed by someone on my keyring? If they get to the point of actually signing messages, I'll stop automatically grabbing keys from the key servers, but in general, I'm not worried about signed messages being SPAM. > I also have a vague memory of the verification function of either PGP > or GnuPG not considering certain valid signatures valid (a bug that's > been fixed by now, I believe) -- I wouldn't want to lose such > messages. Good point. > Also, could you clarify which you think should take precedence -- an > entry in a whitelist (or explicit mentioning in a TMDA configuration > file) or a signed message? My inclination at the moment is that > whitelist entries should take precedence. I think so too. However, I think I'd have both categories do the same thing, so it wouldn't matter a lot to me. > Which brings up a point about the possibility of building a whitelist > from a keyring -- or the reverse of trying to find keys for addresses > contained in one's whitelist ;-) Yeah. > Slightly off-topic, I had a discussion a while back where the idea of > "introducing" someone via a valid PGP-signed message came up. The > idea is that if Alice and Bob know each other and Alice knows Jason, > Alice can "introduce" Jason to Bob by sending Bob a signed message > containing Jason's address (in the signed portion of course). It > seems that a mechanism to support this could be implemented using TMDA > -- e.g. a valid signed message containing a new email address from a > valid introducer gets added to a whitelist. Seems so. Chris -- Chris Garrigues http://www.DeepEddy.Com/~cwg/ virCIO http://www.virCIO.Com 716 Congress, Suite 200 Austin, TX 78701 +1 512 374 0500 World War III: The Wrong-Doers Vs. the Evil-Doers.
msg00372/pgp00000.pgp
Description: PGP signature
